feat(pipeline): add sbom reporting with dependency track
Basic implementation of #25 (closed), replaces !145 (closed).
It creates a sbom jobs for each env and component in the verify stage.
- Uses the Trivy scanner
- When the build type is
custom
it can be customized or disabled - Supports Yarn workspaces, each component will upload a sbom with all workspace packages
- Uploads to Dependency Track (DT) as project
<customerName>-<appName>/<componentName>
with release set to to<env>
- This means review environments will overwrite each other
- Uploads to DT only after the deployment has succeeded, unless deployments are disabled
Not implemented:
- Handling of
DT_KEY
. Manually configuring it as a GitLab group CI/CD variable should be good enough. - Disabling of the project in DT
Edited by Michael